Douglas Otis <[EMAIL PROTECTED]> writes: > On Apr 3, 2006, at 9:53 AM, Arvel Hathcock wrote: > >> > 1. Whether we want to have a mechanism to let the signature survive >> > the reordering of multiple sig headers or not. I've heard Mike and >> > Dave say no, we don't. Is that correct? >> >> I've also said it's added complexity that I don't think we need. >> >> > 2. Whether we want to be able to detect the removal of a signature >> > header (as perhaps in the case of a "stronger" one and leaving a >> > "weaker" one). I think the consensus is that we don't care about >> > this; I'd like to confirm that. >> >> Right, we don't care about that. > > Email can not easily negotiate these algorithms. Are you expecting > to sign messages differently for each recipient? > > A verifier must be able to detect when a stronger signature has been > removed when two signatures are offered. Without this ability to > detect such a removal, all verifiers and senders will remain at risk > to a downgrade attack during perhaps a _very_ long algorithm > transition period. It requires very little to repair this problem at > the outset.
Sorry, I still don't understand what the purpose or impact of this attack is. Can you explain? -Ekr _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html